diff options
| author | Simo Sorce <simo@redhat.com> | 2013-10-14 16:20:11 -0400 |
|---|---|---|
| committer | Günther Deschner <gdeschner@redhat.com> | 2013-10-18 15:46:24 +0200 |
| commit | a324853818fd75d7ec11c68de9d499f37228b26a (patch) | |
| tree | 2dfae31f9f6c130cac4ace0efa15d7c9820fc7f8 /proxy/src/gp_rpc_acquire_cred.c | |
| parent | 117ed0a24c47d91d7c0ba836b218f620195afd61 (diff) | |
| download | gss-proxy-a324853818fd75d7ec11c68de9d499f37228b26a.tar.gz gss-proxy-a324853818fd75d7ec11c68de9d499f37228b26a.tar.xz gss-proxy-a324853818fd75d7ec11c68de9d499f37228b26a.zip | |
Allow arbitrary users to connect to a service
The rpc.gssd daemon is changing to fork and change uid to the unprivileged
user it wants to authenticate, this means gssproxy needs to allow connection
from any euid. When this is done though, the trusted flag needs to be dropped,
if the connecting euid does not match the default trusted uid to prevent
improper impersonation.
Resolves: https://fedorahosted.org/gss-proxy/ticket/103
Reviewed-by: Günther Deschner <gdeschner@redhat.com
Diffstat (limited to 'proxy/src/gp_rpc_acquire_cred.c')
| -rw-r--r-- | proxy/src/gp_rpc_acquire_cred.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/proxy/src/gp_rpc_acquire_cred.c b/proxy/src/gp_rpc_acquire_cred.c index c5bf1a2..0f53989 100644 --- a/proxy/src/gp_rpc_acquire_cred.c +++ b/proxy/src/gp_rpc_acquire_cred.c @@ -26,8 +26,7 @@ #include "gp_rpc_process.h" #include <gssapi/gssapi_krb5.h> -int gp_acquire_cred(struct gssproxy_ctx *gpctx, - struct gp_service *gpsvc, +int gp_acquire_cred(struct gp_call_ctx *gpcall, union gp_rpc_arg *arg, union gp_rpc_res *res) { @@ -49,7 +48,7 @@ int gp_acquire_cred(struct gssproxy_ctx *gpctx, acr = &res->acquire_cred; if (aca->input_cred_handle) { - ret_maj = gp_import_gssx_cred(&ret_min, gpsvc, + ret_maj = gp_import_gssx_cred(&ret_min, gpcall, aca->input_cred_handle, &in_cred); if (ret_maj) { goto done; @@ -80,7 +79,7 @@ int gp_acquire_cred(struct gssproxy_ctx *gpctx, for (i = 0; i < desired_mechs->count; i++) { desired_mech = &desired_mechs->elements[i]; - if (!gp_creds_allowed_mech(gpsvc, desired_mech)) { + if (!gp_creds_allowed_mech(gpcall, desired_mech)) { continue; } @@ -99,7 +98,7 @@ int gp_acquire_cred(struct gssproxy_ctx *gpctx, goto done; } } else { - ret_maj = gp_get_supported_mechs(&ret_min, gpsvc, &use_mechs); + ret_maj = gp_get_supported_mechs(&ret_min, &use_mechs); if (ret_maj) { goto done; } @@ -114,7 +113,7 @@ int gp_acquire_cred(struct gssproxy_ctx *gpctx, * that define keytabs and ccaches and principals */ if (gss_oid_equal(desired_mech, gss_mech_krb5)) { ret_maj = gp_add_krb5_creds(&ret_min, - gpsvc, + gpcall, in_cred, aca->desired_name, cred_usage, @@ -150,7 +149,7 @@ int gp_acquire_cred(struct gssproxy_ctx *gpctx, ret_min = ENOMEM; goto done; } - ret_maj = gp_export_gssx_cred(&ret_min, gpsvc, + ret_maj = gp_export_gssx_cred(&ret_min, gpcall, &out_cred, acr->output_cred_handle); if (ret_maj) { goto done; |